CN109815698A - Malware is determined using firmware - Google Patents
Malware is determined using firmware Download PDFInfo
- Publication number
- CN109815698A CN109815698A CN201810035877.2A CN201810035877A CN109815698A CN 109815698 A CN109815698 A CN 109815698A CN 201810035877 A CN201810035877 A CN 201810035877A CN 109815698 A CN109815698 A CN 109815698A
- Authority
- CN
- China
- Prior art keywords
- bmc
- malware
- equipment
- instruction
- calculating equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000004044 response Effects 0.000 claims abstract description 15
- 230000015654 memory Effects 0.000 claims description 76
- 238000003860 storage Methods 0.000 claims description 43
- 238000012545 processing Methods 0.000 claims description 42
- 238000011084 recovery Methods 0.000 claims description 42
- 238000004891 communication Methods 0.000 claims description 31
- 230000000694 effects Effects 0.000 claims description 26
- 238000000034 method Methods 0.000 claims description 22
- 230000009471 action Effects 0.000 claims description 21
- 230000006870 function Effects 0.000 claims description 18
- 230000004048 modification Effects 0.000 claims description 10
- 238000012986 modification Methods 0.000 claims description 10
- 235000012907 honey Nutrition 0.000 claims description 9
- 238000004088 simulation Methods 0.000 claims description 9
- 238000012544 monitoring process Methods 0.000 claims description 8
- 238000005192 partition Methods 0.000 claims description 7
- 238000002955 isolation Methods 0.000 claims description 4
- 238000000926 separation method Methods 0.000 claims description 2
- 238000004364 calculation method Methods 0.000 claims 1
- 230000008878 coupling Effects 0.000 claims 1
- 238000010168 coupling process Methods 0.000 claims 1
- 238000005859 coupling reaction Methods 0.000 claims 1
- 238000009434 installation Methods 0.000 claims 1
- 238000007726 management method Methods 0.000 description 28
- 238000004458 analytical method Methods 0.000 description 9
- 238000013459 approach Methods 0.000 description 9
- 238000001514 detection method Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 8
- 230000002547 anomalous effect Effects 0.000 description 5
- 238000012790 confirmation Methods 0.000 description 4
- 238000000151 deposition Methods 0.000 description 4
- 238000003745 diagnosis Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000002093 peripheral effect Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000006467 substitution reaction Methods 0.000 description 3
- 230000005856 abnormality Effects 0.000 description 2
- 238000000429 assembly Methods 0.000 description 2
- 230000000712 assembly Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 239000011469 building brick Substances 0.000 description 2
- 230000015556 catabolic process Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 125000004122 cyclic group Chemical group 0.000 description 2
- 238000011835 investigation Methods 0.000 description 2
- 230000005389 magnetism Effects 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 238000000638 solvent extraction Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000005611 electricity Effects 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000002045 lasting effect Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 238000007670 refining Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 239000000758 substrate Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/575—Secure boot
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Abstract
Example disclosed herein is related to determining Malware using firmware, and in particular, to determines Malware using the firmware for calculating equipment.Firmware can be used to determine that the instruction that there is Malware on said computing device exists.In response to there is the instruction of Malware on said computing device, the firmware can be executed with movement with high safety.
Description
Background technique
Service provider and manufacturer are challenged come for example by providing the access to computing capability to transmit to consumer
Quality and value.Data center is for accommodating computer network, computer system and associated component (such as telecommunications and storage system
System) facility.Equipment in data center can be mounted in the form of the server in cabinet.Data center may be malice
The target of software (for example extorting software) attack.
Detailed description of the invention
Detailed description below refers to attached drawing, in which:
Fig. 1 is to be able to respond according to exemplary in determining the instruction for depositing Malware on the computing device and with high safety
The block diagram of the calculating equipment of movement;
Fig. 2 is implemented including being able to respond in the determining instruction for depositing Malware on the computing device according to exemplary
The block diagram of the computing system of the calculating equipment of safe action;
Fig. 3 is the flow chart of the method for movement with high safety according to the exemplary instruction in response to Malware;
Fig. 4 be according to it is exemplary include the substrate management control for being able to respond instruction in Malware and movement with high safety
The block diagram of the calculating equipment of device processed;
Fig. 5 is to indicate to restore to start for extorting the firmware that software is present in system based on confirmation according to exemplary
The flow chart of the method for journey;And
Fig. 6 is can to indicate to start in recovery process on a computing system based on the firmware for extorting software according to exemplary
Entreat the block diagram of management system.
Throughout the drawings, identical appended drawing reference can specify similar but not necessarily identical element.It is attached to
The index " N " of appended drawing reference can be understood as being merely representative of plural number, and for each attached drawing mark with such index " N "
Note can not necessarily indicate identical amount.In addition, not no use (wherein such appended drawing reference of the appended drawing reference of index herein
Quoted elsewhere with index) it can be (collectively or individually) the general reference to corresponding complex elements.Another
In a example, index " I ", " M " etc. can be used to replace index N.
Specific embodiment
Entity can try to avoid security attack by identifying the loophole in its data center.Loophole may include possible
It is utilized to invade lacking for the design of the network in data center of the security strategy of network, realization, operation and/or management aspect
It falls into and/or weakness is (for example, it may be possible to right by the unwarranted access of the assets to entity, destruction, disclosure and/or modification
The case where network has a negative impact and/or event).Using instruction code may include caused using loophole it is undesired and/or
Computer-readable instruction, data and/or the command sequence for the behavior that do not expect.Security attack may include using and/or attempt
Use the utilization instruction code for being directed to loophole.In order to avoid subsequent security attack, investigation is can be implemented (for example, electronics takes in entity
Card investigation), what loophole anything to be used to utilize instruction code for during security attack to determine.
Based on threatening information and market intelligence, it will therefore be apparent that using Malware for operating system, firmware and hard
The quantity of the attack of part layer has increased.For example, being set for extorting purpose and upsetting economy, national security and/or key foundation
The Malware applied.With being easy to obtain Malware from dark network and extorting software vulnerability using kit, attack is continuous
Change and becomes more complicated.
Some attacks, which are directed to, encrypts bootstrap block (for example, master boot record (MBR)) together with data, and nearest
Attack causes confusion in many middle-size and small-size business and enterprise.As used herein, bootstrap block is set with by calculating
The region of the associated storage equipment of the initial order that standby processor is read.In view of increased Malware and extort software,
Advanced duration threat and Security Trend to hardware and firmware, detects these complicated attacks and pacifies from these attacks
Restore entirely and automatically to be advantageous.Such automatic detection and recovery solution can be used for computing system user to have
Help the peaceful Taiwan investment of its operating system (OSes) of fast quick-recovery to produce, and reduces recovery time.
As used herein, Malware is malicious software or intrusive software.Example includes computer virus, compacted
Worm, Trojan Horse extort software, spyware, ad ware, threatening software etc..Extorting software is a kind of Malware,
It threatens and removes non-pay ransom money, otherwise announce the data of victim or prevent to access the data.Some softwares of extorting can lock quilt
The system of attack.It for example, the file of victim can be encrypted by extorting software, access it can not.Some softwares of extorting can make
Lure that the wooden horse of user's downloading and the legitimate files opened carries out into disguising oneself as.Other are extorted software and can pass between the computers
It is defeated, without user's interaction.In some instances, Malware (for example extorting software) can be attempted using where with Malware
The associated interface of computing system, pass through associated with the computing system driver of scanning and interface, write-in or modification driving
Device etc., to propagate its own.
Therefore, this document describes a kind of unknowable approach of OS, help to detect the OS from firmware and platform attack.?
In one example, Honeypot Techniques are can be used to help to detect malice in management processor (such as baseboard management controller (BMC))
Software.The in-line memory or emulation memory of accessible BMC can be provided to operating system.BMC can be based on honey jar
The instruction that there is Malware on the computing device is deposited in technology determination.Safe action can be implemented in response to the instruction.
In this example, no agent monitors and alarm approach are provided, for detected using firmware calculate equipment (such as
Server platform) on Malware (for example extorting software) class attack.Can to OS provide such as flash memory (for example, NAND subregion,
Safe digital card etc.), physics in-line memory or the emulation disk storage from BMC such as hard disk drive.Moreover, storage
Device can be accessed by BMC.Memory can be configured as point looked like with bootstrap block (for example, MBR) and additional data
Area is to simulate the production driver of OS.
BMC can monitor the Malware of memory or extort software exercise or mode.If it find that sort of activity, to
There are potential threats for BMC instruction.In one example, it any write-in activity in the time window of memory or is continuously written into
Activity can be considered as activity or mode, because driver should not be manipulated.In other examples, collapse, encrypt or other
Mode can indicate activity or mode.Moreover, in some instances, activity or mode can be based on because of malware attacks approach
The approach that known one or more kits use.For example, the access and/or modification to bootstrap block can produce by
Anomalous event caused by BMC.It is dynamic that anomalous event can trigger the safety for sending center management system (CMS) for the anomalous event
Make.Anomalous event may include additional information, such as log associated with activity, OS log, system log etc..Moreover, different
Ordinary affair part notice may include the analysis completed by BMC.
In addition, in some instances, the safe action of BMC may include uninfluenced dynamic after verifying system mode
Make.Such safe action may include system is isolated, each interface of closing system and/or system, backup audit
Log etc..The process for sending anomalous event to CMS can permit the authenticity and integrity of verifying event.
In another example, it can be used using the another way of firmware and detect Malware.In this example,
Firmware interface (such as unified Extensible Firmware Interface (UEFI) application or other lightweights are bootable reflects can be used in tool
Picture) Lai Shixian security diagnostics.It can according to need or the observation state based on computing system is (for example, duplicate cyclic breakdown
Or fail to start the failure of main OS) Lai Zhihang security diagnostics application.In one example, in the threshold value of continuously guidance turkey
Later, can by firmware interface using the mark being arranged by BMC come calls tool.In another example, instruction can be used
The manual user of Malware inputs or console log diagnosis carrys out trigger flag.The tool can have the ability to check storage driving
Device, such as detection MBR encryption, the encryption data in boot partition, the particular signature in lookup driver or mode etc., with detection
Malware on memory driver extorts software or other advanced attack signatures.
In some instances, boot partition is the memory comprising bootstrap loader (software for being intended to guide OS)
In subregion.In some instances, boot partition may include MBR.The tool diagnostic result can be sent to BMC and/or
CMS (for example, via BMC).
In some instances, BMC can make after repeating guidance turkey or based on other configurations rule or strategy
Software or other malware messages are extorted with pattern match and/or abnormality detection come automatic analysis console log.Response
In detecting that Malware, CMS can coordinate the system and/or be communicably coupled to the recovery of the other systems of computing system.
Fig. 1 is to be able to respond according to exemplary in determining the instruction for depositing Malware on the computing device and with high safety
The block diagram of the calculating equipment of movement.Calculating equipment 100 includes firmware engines 110, and firmware engines 110 may include can be by processor
Or BMC112 and firmware, operating system 116, memory driver 118, processing element 130 and memory that processing element executes
132。
Fig. 2 is implemented including being able to respond in the determining instruction for depositing Malware on the computing device according to exemplary
The block diagram of the computing system of the calculating equipment of safe action.System 200 may include calculating equipment 100 and other equipment
240a-240n, equipment 240a-240n are joined together and are connected to center management system via management network 220
260.In one example, CMS may include recovery engine 262.The input/output interface 234 for calculating equipment 100 can be used for
Such as it is communicated via network 250 with other equipment.Input/output interface 234 can be also used for realizing other input/output, example
Such as store function (for example, accessing one or more storage arrays).
Although not refining to help to simplify explanation, it can be used for equipment for the function that equipment 100 describes is calculated
240a-240n.Moreover, equipment 240 may be coupled to one or more networks except management network 220.
As described above, firmware engines 110 can be used to monitor the Malware for calculating equipment 100.Firmware engines 110 can
To be implemented as the firmware instructions executed at least one processor or physical treatment element.In some instances, processor
It can be the main processing element 130 for calculating equipment 100.In other examples, individual processor can be used.Firmware engines
110 be determined for calculate equipment 100 on there are the instructions of Malware.In response to determining that the instruction of Malware exists,
Safe action can be implemented.
In one example, BMC112 is used for determining to deposit the instruction of Malware on computing device 100.It can make
BMC112 is realized with the processor isolated with for executing the processing element 130 of high level operating system 116.BMC112 is to calculate
Equipment provides so-called " light-off " function.Light-off function can permit user (such as system manager) calculate equipment 100,
Implement management operation on 240, even if not installing on the computing device or not operating operating system.In addition, in one example,
BMC112 can be run under accessory power supply, therefore calculated equipment 100,240 and do not needed to be energized to open state, in the unlatching
Under state, the control for calculating equipment 100,240 is handed over to operating system 116 after powering.As an example, BMC112 can be mentioned
For so-called " band is outer " service, such as the healthy shape of remote console access, remote reboot and power management function, monitoring system
Condition, access system log etc..As used herein, BMC112 has the management energy for calculating the subsystem of equipment 100,240
Power, and processor or processing element 130 with the master operating system for executing calculating equipment (for example, server or server set)
Separation.
As described above, in some cases, BMC112 can enable the light-off management for calculating equipment 100, provide remote
Whether thread management accesses (for example, system control position access), be powered but regardless of calculating equipment 100, major networks subsystem hardware
Whether operating or whether OS116 is currently running or has even installed.BMC112 may include that administrator can use
Come and the interface of BMC112 telecommunication (such as network interface) and/or serial line interface.As used herein, service is " outside band "
Via the service that dedicated management channel (for example, network interface or serial line interface) is provided by BMC112, and no matter calculate equipment
Whether 100 be all available in energized state.
In some instances, BMC112 can be used as the part of shell and be included.In other examples, BMC112 can be by
Include in one or more servers (for example, part of the management subsystem as server) or via interface (for example,
Peripheral interface) connection.In some instances, sensor associated with BMC112 can measure internal physical variable, such as wet
Degree, temperature, supply voltage, messaging parameter, fan speed, operation system function etc..BMC112 can also restart or loop start
Equipment.
Operating system 116 is management computer hardware and software resource and provides the system of public service for computer program
Software.OS116 can be executed on processing element 130 and is loaded into memory 132.OS116 is advanced OS116, such as
(boot firmware for calculating equipment 100 will for LINUX, WINDOWS, UNIX, bare machine management program or other similar high-level software
The control for calculating equipment 100 is given to it).
Memory driver 118 can be hardware storage device or be emulated by BMC112.OS116 is provided to memory driver
118 access.In one example, memory driver 118 can be connected to processing element 130 by bus, the processing element 130
Memory driver 118 can be supplied to OS116.In some instances, memory driver 118 may include multiple subregions.Example
Such as, a subregion may include the firmware 114 that can be performed, such as the firmware intelligently supplied for calculating equipment 100.?
In other examples, such as hard disk drive, solid state drive, nand flash memory, SD flash memory etc. is can be used in memory driver 118
One of various technologies are realized.Hardware store driver can also for example via one or more buses, controller and connect
Mouth can access BMC112.
In another example, BMC112 can provide the memory driver 118 of emulation to OS116.In this way, showing at one
In example, memory driver 118 can be provided as virtual drive.Various current approach can be used to provide such emulation
Or virtual drive.For example, BMC112 can be via the storage of one or more buses or interface simulation to processing element 130
Equipment interface.It is, for example, possible to use input and output (I/O) controllers as interface, south bridge, super I/O chipset etc..At one
In example, storage equipment can be via the simulated connection of peripheral component interconnection (PCI) PCI-X, PCIe.In another example,
Another interface can be used, for example, can emulate and provide universal serial bus (USB) storage equipment.In one example,
The USB storage device of emulation can be provided to via processing element 130 and I/O controller (for example, via pci bus)
OS116.In some instances, the storage equipment of emulation simplifies supply, to seem that it has than actually available capacity
Bigger capacity.In other examples, it can be made to go out in some way with the storage equipment metadata provided together of emulation
It is existing, even if actual information may not be true.In some instances, random data pattern or actual file can be used.?
In some examples, device customizing random data pattern can be calculated for individual.It is, for example, possible to use sequence numbers or unique key to come
Generate one or more random data patterns.
In one example, service operating system (OS) or supply engine of the equipment initial guide into factory will calculated
When middle, unique private key and public key are generated and will be on its " viscous " to system by being saved in BMC memory.The storage can be with
It is lasting, and not alternatively.BMC, which can permit, accesses key using Application Programming Interface.These values can be written into and BMC
In write-once register on identical specific integrated circuit (ASIC).Write-once register can be for example using fuse
It realizes.In one example, private key executes algorithm by using stochastic source to create and be programmed.In another example,
Public key is the cryptographic Hash of private key.In some instances, once being programmed, disabling changes the ability of register (for example, for example existing
Fusible link is cut off in write line).Can based on calculate the associated sequence number of equipment or unique key come using being used for
The random algorithm for generating data.Therefore, attacker may be more difficult to identification memory driver 118 and just serve as honey jar.
Memory driver 118 may be implemented as honey jar.Honey jar includes the number for looking like the legal part for calculating equipment
According to, but be actually isolated and monitored by firmware engines 110 (for example, BMC112).As described, memory driver 118 can be by reality
Now simulate to the valuable information of attacker or resource.In one example, memory driver 118 may include indicating guidance
The analog information of block (such as MBR).Other data can be modeled expression to attack medium (such as OS, video file, data
Library, picture file) valuable resource and/or information.In some instances, the data of simulation can be based on particular malware
Or the particular attack medium (and can be abstract) of kit.In addition, in the various examples, can similarly be deposited multiple
Storage driver is supplied to the OS116 for indicating the different honey jars for Malware.
BMC112 can monitor memory driver 118.As described above, memory driver 118 can be visited by operating system 116
It asks and can also be monitored by BMC112.BMC112 can determine the instruction that there is Malware on computing device 100.Monitoring
It may include the changes, modifications or other activities tracked on memory driver 118.Monitoring can be periodically, or can be with
It is realized using interruption system.For example, BMC112 is known that storage if BMC112 is emulating memory driver 118
When driver 118 is accessed.Change because memory driver 118 is not intended to implementation, the vast resources from BMC112
It does not need to be exclusively used in realizing the approach.
As used herein, Malware instruction indicate BMC112 suspect for some reason Malware there may be
In in calculating equipment.In one example, this can rule or standard based on satisfaction.Various technologies can be used, for example, making
With security information and incident management (SIEM) mechanism, pattern match, malware signature detection, regular expression etc..At one
In example, if the data of memory driver 118 are modified or attempted to modify, there are the fingers of Malware
Show.In another example, the scanning of the data in certain activities, such as memory driver 118 can trigger Malware
Instruction.In some instances, which can be more wider than the range of practical confirmation Malware on the computing device.
In one example, Malware is to extort software.Extorting software is a kind of Malware, is threatened except non-pay
Otherwise ransom money announces the data of victim or prevents to access the data.The message for extorting software may be can cause to extort it is soft
The part of the signature of the instruction of part.Moreover, the encryption or attempt encryption of the data on memory driver 118 can be considered as extorting
The instruction of software.
As described, BMC112 can monitor the Malware of memory or extort software exercise, mode or signature.If hair
Existing such activity, then to BMC112 instruction, there are potential threat or Malware indicators.Moreover, in some instances, it is living
Dynamic or mode can be based on the approach used by the known one or more kits of malware attacks approach.In this way,
The activity detected on memory driver 118 according to mode can lead to exist on the computing device Malware and (for example strangle
Rope software) instruction.In one example, which may include the modification to the boot partition (such as MBR) of simulation.
In response to calculating the instruction of the Malware in equipment 100, safe action is can be implemented in BMC112.In an example
In, safe action includes that will calculate equipment 100 to be isolated with the other equipment for being communicably coupled to calculate equipment 100.This can example
One or more input/output interfaces 234 are such as accessed or closed by limitation to realize.In one example, BMC112 can also
To be placed under the safe mode of raising, such as do not ring in the case where specific (for example, enhancing or multifactor) certification
It answers or allows to communicate.The safe mode of raising may include function restriction, and may need specific security permission.Some
In example, it can will calculate equipment 100 and close that (for example, wherein OS116 not running, but BMC112 is in activity to secondary status
State) or closed state.
In other examples, safe action may include checking the firmware calculated in equipment 100 or being reverted to it
Preceding state.In addition, in another example, safe action may include sending CMS260 associated with equipment 100 is calculated
Information.The information may include various information, for example, for determine the log information of activity or mode found, action message,
OS log, system log, analysis associated with the identification of indicator etc..In some instances, BMC112 can be with CMS260
Communication, due to specific security permission associated with CMS260 Service Ticket, the CMS260 has in the safe mode of raising
There is the Service Ticket of access BMC112.
In another example, another firmware engines 110 can detecte the instruction of Malware.For example, such as malice
The tool of software diagnosis firmware 214 may be implemented as firmware interface, such as unified Extensible Firmware Interface (UEFI) application
Or other lightweight bootable images are to realize security diagnostics.It can according to need or based on the observation state for calculating equipment 100
(for example, duplicate cyclic breakdown or fail to start the failure of main OS116) Lai Zhihang security diagnostics application.In an example
In, after the continuously threshold value of guidance turkey, work can be called using the mark being arranged by BMC112 by firmware interface
Tool.In another example, manual user input or the console log diagnosis of instruction Malware can be used to trigger mark
Will.
Malware diagnosis firmware 214 can have the ability to check memory driver, for example, detection MBR encryption, boot partition
In encryption data, search particular signature or mode etc. in driver, to detect the Malware on memory driver, extort
Software or other advanced attack signatures.The information of such as diagnostic result and/or log information can be sent to by the tool
BMC112 and/or CMS260 (for example, via BMC).In some instances, BMC112 can be after repeating guidance turkey
Or based on other configurations rule or strategy, use pattern matching and/or abnormality detection carry out extorting for automatic analysis console log
Software or other malware messages.
In response to detecting that Malware, CMS260 can verify the presence of Malware and coordinate system and/or lead to
It is coupled to the recovery of the other systems of computing system in letter ground.In one example, CMS260 can be received from BMC112 about latent
In the information of Malware.The information can be handled by CMS260 with verify calculate equipment 100 on there are Malware or really
Surely Malware is not present.The information may include the initial data of such as log information and in firmware engines 110
One Malware diagnostic result.
If Malware is not present, data can be continued with by calculating equipment 100, or if is handled or communicated
Through it is disabled, be isolated or control, then restore the normal operation for calculating equipment 100.If it is determined that there are Malware, then it can be real
Recovery engine 262 is applied to start recovery process.Recovery process may include restoring to calculate the configuration setting of equipment 100 and counting
It calculates and new OS is installed in equipment 100.In some instances, recovery process can also include that confirmation firmware is not potentially exposed to
Malware and/or again refreshing and the one or more firmwares of recovery.
In one example, it is possible to implement security recovery agreement allows to restore automatically using embedded BMC and CMS260
Server OS and other platform assets.CMS260 can have the function that recovery policy is given to BMC112, which includes
The movement that should be taken when detecting that firmware or operating system are attacked.As the part of recovery management, the identity of CMS260 can be with
It is stored in the security partitioning calculated in equipment, to allow the communication with CMS260 when detecting violation.This can be use
In the part for the Service Ticket for allowing the certification communication between BMC112 and CMS260.
The backup of configuration including calculating equipment 100 in each of firmware, the setting of IO card etc. can be safely stored
For being used together with CMS260 with the identity/certificate for calculating equipment 100, to verify the violation alarm of signature and also extensive
Multiple stage use, which is mutually authenticated, safely to be communicated.In one example, when BMC112 is configured with the recovery policy from CMS260
When, when detecting violation by automatically into the internal schema of safety, which only allows using being mutually authenticated BMC112
The highest weight of (it uses the voucher/identity being stored in security partitioning) limits the use of family (security recovery permission) and is communicated.
In the various examples, CMS260 also supports following strategy: such as server isolation, platform forensics analysis and using peace
The baseline or the automatic recovery configuring of external security image library, firmware and OS being stored in CMS260 entirely.Isolation movement can relate to
And it is configured to only allow to have the user of security recovery permission to log in BMC112, disables all unsafe services, takes OS
Network and I/O port etc. are closed in dump (in the case where the firmware attack with effective OS).Recovery engine 262 is being based on coming from
The signature alarm of the calculating equipment 100 of management and when detecting violation, using the strategy of configuration, (it uses the OS restored in baseline
The snapshot of image) coordinate recovery process.In some instances, the height comprising installing using BMC virtual medium interface can be used
Grade, which is repaired with the image of reimaging software, starts recovery process.The image of the reparation and reimaging may include software,
To check the listings data of last time guidance, and internal or external safety database is used, identification and the one or more disks of reduction
Image and application specific data on driver.
In some instances, in order to restore, one or more nonvolatile memories can be returned into " factory " condition
(for example, erasing, write-in particular value etc.) is to eliminate crash issue and to eliminate incorrect behavior.Firmware operation can be used for wiping
Nonvolatile memory is removed or reprogramed (for example, Serial Peripheral Interface (SPI) (SPI) component, the read-only storage of electrically erasable
Device (EEPROM) etc.).
In one example, in response to the signal, BMC112 will be for example by real to the multiple components for capableing of erasing-programming
It applies rudimentary simple erasing and sets recovery state for computing system.Firmware can be intelligently set, allow firmware from
Recovery state is restored, as further described herein.Basic status is set by firmware and provides such reset schemes, this is multiple
Position scheme can be than still having the reset schemes of collapse value more easily from its recovery in wherein component.It then can be from baseline
Image (for example, storage on the computing device or the baseline in memory associated with recovery engine 262) recovery configuring is set
It sets.
The example for the firmware engines 110 that can be resumed includes baseboard management controller (BMC), input and output controller
(I/O controller), south bridge, super I/O, platform firmware controller etc..
In some instances, BMC112 can automatically implement one or more in the case where the management not from CMS
A recovery action.In other examples, BMC112 such as described send to CMS260 communicates, and CMS260 can coordinate to restore.
In some instances, BMC112 can automatically implement some safety/recovery actions, and other coordinate via CMS260.
As mentioned, each equipment 100,240a-240n may include the BMC of such as BMC112, and equipment is by being somebody's turn to do
BMC112 is communicated via management network 220 with CMS260.In some instances, management network 220 can be the external world (for example, right
In production network it is available or via internet) dedicated network that cannot access.In other examples, connection (example can be provided
Such as, via firewall) arrive another network environment.CMS260 (its own may include computer) provides the management for being used for equipment
The control point of purpose.In some instances, CMS260 may be implemented as such as calculate equipment 100, equipment 240, server,
The virtual machine executed in the equipment of work station etc..In one example, CMS260, which can be used by a person, comes manually (or via foot
This) operating system is loaded into equipment, enable and disable various server features etc..
Data connection between 100,240 and CMS260 of equipment forms local area network (LAN), and the local area network is according to various examples
It mainly or is exclusively used for system administration purpose, that is, is not used in and handles data according to the principle function of equipment.Therefore, it manages
Network 220 is generally not used in processing data trade.The function of CMS260 first is that use recovery engine 262 coordinate one or more
The recovery of a system.
In some examples, it calculates equipment 100 and equipment 240 may be implemented as computer, such as server.At other
In example, equipment may include special purpose machinery.Calculate equipment 100, equipment 240 and/or CMS260 can via processing element, deposit
Reservoir and/or other assemblies are realized.
Wire communication, wireless communication or combinations thereof can be used in communication network 220,250.Moreover, communication network 220,250
It may include multiple sub- communication networks, such as data network, wireless network, telephone network etc..Such network may include
For example, public data network, such as internet, local area network (LAN), wide area network (WAN), Metropolitan Area Network (MAN) (MAN), cable network, light
Fibre web network, their combination etc..In some examples, wireless network may include cellular network, satellite communication, Wireless LAN etc..
Moreover, communication network 220,250 can be the form of the straight-forward network link between equipment.Can use various communication structures and
Infrastructure realizes communication network.
For example, equipment via communication protocol or multiple agreements with each other and with Internet access communication network other
Assembly communication.Agreement, which can be, defines the one group of the rule how node of respective communication network interacts with other nodes.Moreover, net
Communication between network node can be by exchanging discrete data packet or sending the message to realize.Packet may include related to agreement
The header information (for example, information of the position about the network node to be contacted) and net load information of connection.
Processing element 130 can be one or more central processing elements (CPU), one or more based on the micro- of semiconductor
Processor, one or more graphics processing unit (GPU), suitable for the finger being stored in machine readable storage medium is retrieved and executed
Other hardware devices or combinations thereof enabled.Processing element 130 can be physical equipment.In addition, in one example, processing element
130 may include the multiple cores on chip, including across multiple chips multiple cores, across the multiple cores of multiple equipment
(for example, if calculating equipment 100 includes multiple node devices) or combinations thereof.Processing element 130 can be extracted, decodes and be executed
Instruction.As substitution or other than instruction is retrieved and executed, processing element 130 may include at least one integrated circuit
(IC), other control logics, other electronic circuits or combinations thereof comprising for implementing several electronics groups of the function of instruction
Part.
For example the engine of firmware engines 110 and recovery engine 262 includes the combination of hardware and/or hardware and programming to implement
Function provided herein.Another engine can be used also to realize in the function of belonging to particular engine.In some instances, engine
Processing element can be used and instruct and/or use specific integrated circuit (ASIC) Lai Shixian.
As described, in addition input/output interface 234 can be provided by calculating equipment 100.For example, can use such as key
Disk, sensor, touch interface, mouse, microphone etc. input equipment receive from the defeated of the environment calculated around equipment 100
Enter.Moreover, in some instances, the output equipment that can use such as display provides a user information.Output equipment shows
Example includes loudspeaker, display equipment, amplifier etc..In addition, in some examples, can use some components to realize this paper institute
The function for the other assemblies stated.For example the input-output apparatus of communication equipment (such as network communication equipment or wireless device) can also
To be considered as the equipment for being able to use input/output interface 234.Similarly, storage equipment (such as array) can be used through
By the communication of input/output interface 234.Equipment 100 is calculated for example, storage area network can be connected to, or can be through
One or more memory drivers are connected by input/output interface 234.
In the various examples, CMS260 can provide additional function.For example, CMS260 can provide big rule in a device
Mould point and update firmware, operating system, the ability and/or other abilities of driver, software.CMS260 can be can manage
The licensing of equipment in data center.In addition, CMS260 is can be found that and the equipment managed on network 220 of making an inventory.CMS260
It can be can support both online and offline firmware and driver update.In some instances, batch can be carried out in order
It updates.
In one example, CMS260 can make an inventory the configuration setting about equipment, firmware level, software information etc..Disk
Point inventory can be stored in the memory for being coupled to CMS260.In addition, memory may include that can be used for restoring corresponding
The firmware/software image of the tool of equipment.
Fig. 3 is the flow chart of the method for movement with high safety according to the exemplary instruction in response to Malware.
Fig. 4 be according to it is exemplary include the meter for being able to respond the baseboard management controller of instruction in Malware and movement with high safety
Calculate the block diagram of equipment.
Although describing the execution of method 300 referring to equipment 400 is calculated, it is available with for executing method
300 other suitable components (for example, using the calculating equipment 100 of BMC112).Method 300 can be to be stored in tangible machine
It the form of executable instruction on readable storage medium storing program for executing (such as storage medium 420) and/or is realized in the form of electronic circuit.
The high-level software of such as operating system can be run as machine readable storage medium and processing elements by calculating equipment 400
Instruction on part (not shown).The processing element that separates of processing element with OS is executed can be used to realize in BMC 410.Such as
This, BMC 410 is realized using individual controller.As described above, BMC 410 can also be provided outside band to calculate equipment 400
Service.In one example, it can be provided by executing service order 422 with outer service.
At 302, the memory driver that can be monitored by BMC 410 can be provided to OS by calculating equipment.Central processing member
Part (for example, central processing unit (CPU)) can be provided the access right to memory driver.Moreover, BMC 410 can be mentioned
For the access right to memory driver.As described above, in one example, memory driver may include the physics of such as flash memory
Medium, and in another example, memory driver can be embodied as that BMC 410 provides by BMC 410 with one of outer service
Part.In this way, in one example, BMC 410 can execute service order 422 using by memory driver as virtual or emulation
Driver be supplied to OS.In addition, as described above, memory driver may include simulation boot sector (e.g., including MBR
Data) and be modeled to appear to one or more Malwares or extort the valuable data of software attacks medium
Other data.In some instances, because of 410 Internet access memory driver of BMC, when new attack medium occurs
When, BMC 410 can update storage driver to appear to have value to new attack medium.
At 304, BMC 410 can execute monitoring instruction 424 and serve as the honey jar indicated for Malware to monitor
Memory driver.Based on the activity detected at memory driver, BMC 410 can determine there is malice while monitoring
The instruction of software exists.Malware can indicate to extort software or other constant threats.The activity detected can be by BMC
The part of 410 modes detected on memory driver or signature.In one example, which, which can be, indicates potential evil
The instruction that rule existing for meaning software, standard, mode or signature are hit.As described above, the instruction may include driving to storage
Modification is attempted in the modification of a part (for example, MBR data of simulation) of dynamic device.
In response to the instruction, at 306, BMC 410 can execute safety command 426 to indicate to come in response to Malware
Property movement with high safety.As described above, safe action may include for example by close calculate equipment 400 multiple interfaces come every
From calculating equipment 400.Moreover, safe action may include notifying the instruction to CMS via management network.In addition, showing some
In example, safe action may include the firmware condition for checking the calculating equipment compared with Hash, and if firmware is damaged
Evil then restores firmware (for example, refreshing again).In some instances, the recovery or isolation of one or more components can respond
In from CMS receive communication and occur.Instruction and information associated with potential Malware can be sent to CMS.The letter
Breath may include the analysis of BMC 410 or other firmwares, about detecting the activity or information of mode etc. for causing instruction.As above
Described, BMC 410 can enter the safe mode for needing the permission (for example, via Permission Levels are authenticated to) of specific rank.With
The communication of CMS can be authenticated to the Permission Levels.
BMC410 can be suitable for one that the instruction being stored in machine readable storage medium 420 is retrieved and executed or
Multiple processors, microcontroller or other hardware devices or combinations thereof.BMC 410 can be physical equipment.In addition, showing at one
In example, BMC 410 can be extracted, be decoded and execute instruction 422,424,426 with implementation method 300.As substitution or in addition to inspection
Rope and except executing instruction, BMC 410 may include at least one integrated circuit (IC), other control logics, other electronics electricity
Road or combinations thereof comprising for implementing several electronic building bricks of the function of instruction 422,424,426.
Machine readable storage medium 420 can be include or storage any electronics of executable instruction, magnetism, optics or its
His physical storage device.Therefore, machine readable storage medium can be, for example, random access memory (RAM), electric erasable
Programmable read only memory (EEPROM), memory driver, compact disc read-only memory (CD-ROM) etc..In this way, machine readable deposit
Storage media can be non-transitory.As described in detail herein, in one example, machine readable storage medium 420 can be with
With a series of executable instructions coding for realizing method 300.
Fig. 5 is to extort the firmware instruction that software is present in system based on confirmation to start recovery process according to exemplary
The flow chart of method.Fig. 6 is can to indicate that starting restored on a computing system based on the firmware for extorting software according to exemplary
The block diagram of the center management system of journey.
Method 500 can start at 502, and wherein CMS 600 receives the letter of the instruction about Malware from BMC 650
Breath.The information may include log information, for example, about activity or trial at the storage equipment that BMC 650 is being monitored
Activity collected by information.Communication with BMC 650 can be certified.Communication instruction 622 can be executed by processing element 610
To realize certified communication.Moreover, CMS600 can have the permission communicated with the BMC650 in the security level promoted
Rank, the specific authentication grade that the security level of the promotion needs the communication of the certification for example via exchange token or voucher to meet
Not.
At 504, processing element 610 can execute analysis instruction 624 to determine whether there is according to the received information of institute
Malware (for example, extorting software).Analysis may include using the verifying of SIEM or other safety analysis approach, such as mode
Detection, signature detection etc..In one example, log can show the instruction be by calculating equipment defragmentation algorithms without
It is caused by activity caused by Malware.In another example, log can show that the instruction is by rogue activity institute
It is caused.
In response to verifying, at 506, recovery instruction 626 can be executed in calculating equipment associated with BMC 650
Start recovery process.CMS 600 can coordinate to calculate the recovery of equipment.Recovery may include restoring to calculate the configuration setting of equipment
And new operating system is installed on the computing device.New operating system can be by being supplied to calculating equipment via BMC650
Virtual medium interface install.In some instances, which may include that verifying calculates the firmware in equipment or will consolidate
Part flushes to controlled baseline level again.Baseline restorer configuration setting can for calculate equipment locating for environment rather than
The basic firmware of equipment is calculated to customize.In addition, installing new operating system on baseline firmware can provide securely and reliably
Operating environment.This is particularly useful in the data center, easily can replace and supply clustered machine and use in data center
User data is stored separately on memory (such as using storage array).
As described above, CMS 600 may be implemented as calculating the virtual machine in equipment.In other examples, CMS 600 can
To be implemented as individually calculating the part of equipment or multiple machines.
Processing element 610 can be one or more central processing unit (CPU), one or more based on the micro- of semiconductor
Processor, one or more graphics processing units (GPU) are stored in machine readable storage medium 620 suitable for being retrieved and executed
In instruction other hardware devices, or combinations thereof.Processing element 610 can be physical equipment.In addition, in one example,
Processing element 610 may include the multiple cores on chip, including across multiple chips multiple cores, across multiple equipment
Multiple cores (for example, if CMS600 includes multiple node devices) or combinations thereof.Processing element 610 can be extracted, be decoded simultaneously
622,624,626 are executed instruction with implementation method 500.As substitution or other than instruction is retrieved and executed, processing element
610 may include at least one integrated circuit (IC), other control logics, other electronic circuits or combinations thereof comprising be used for
Execute instruction several electronic building bricks of 622,624,626 function.
Machine readable storage medium 620 can be include or storage any electronics of executable instruction, magnetism, optics or its
His physical storage device.Therefore, machine readable storage medium can be, for example, random access memory (RAM), electric erasable
Programmable read only memory (EEPROM), memory driver, compact disc read-only memory (CD-ROM) etc..In this way, machine readable deposit
Storage media can be non-transitory.As described in detail herein, machine readable storage medium 620 can be with for realizing method
A series of 500 executable instructions coding.
Although certain embodiments have been shown and described above, can carry out in form and details various changes
Become.For example, some features about an embodiment and/or process description can be associated with other embodiments.
In other words, process, feature, component and/or the property about the description of an embodiment can be used for other embodiments.This
Outside, it should be appreciated that system and method described herein may include the component and/or feature of described different embodiments
Various combinations and/or sub-portfolio.Therefore, referring to the feature of one or more embodiments descriptions can with it is described herein other
Embodiment combination.
Claims (20)
1. a kind of computing system, comprising:
Equipment is calculated, the calculating equipment includes:
At least one processing element;
Memory;
Firmware engines, the firmware engines include:
The baseboard management controller (BMC) separated at least one described processing element, the baseboard management controller (BMC) are
The calculating equipment provides at least one with outer service;
The firmware executed at least one described processing element during guidance,
Wherein at least one of described firmware engines are wanted:
Determine that there are the instruction of Malware presence in the calculating equipment;And
In response to there are the instructions of the Malware to carry out movement with high safety in the calculating equipment.
2. computing system as described in claim 1, wherein the BMC is further wanted:
Monitor the memory driver that the operating system that executes at least one described processing element can access, by determination it is described in terms of
There are the instruction of Malware presence in calculation equipment.
3. computing system as claimed in claim 2, wherein the memory driver is to be supplied to the operation system by the BMC
The virtual drive of system.
4. computing system as claimed in claim 2, wherein the memory driver includes the BMC and the operating system energy
The flash memories of access.
5. computing system as described in claim 1, wherein the memory driver includes simulation main boot partition data and refers to
Show other data of operating system.
6. computing system as claimed in claim 5, wherein the Malware includes extorting software, and wherein according to mode
The activity detected on the driver leads to there is the instruction for extorting software in the calculating equipment.
7. computing system as claimed in claim 6, wherein the mode includes the modification to the boot partition data.
8. computing system as claimed in claim 7, wherein the safe action includes by the calculating equipment and communicatedly coupling
Close the multiple other equipment isolation for calculating equipment.
9. computing system as described in claim 1, further comprises:
Center management system,
Wherein the BMC is sent and Malware presence via the communication of certification to the center management system (CMS)
Indicate associated log information,
Wherein the CMS is wanted:
It verifies the log information and indicates that the Malware exists;And
Start recovery process, the recovery process includes restoring the configuration setting for calculating equipment and in the calculating equipment
The new operating system of upper installation.
10. computing system as claimed in claim 9, wherein the safe action includes safe mode of the BMC to improve
It is communicated, the safe mode of the raising has the restricted function for needing particular safety permission, wherein the communication of the certification
Use the particular safety permission.
11. computing system as claimed in claim 9, wherein executed at least one described processing element during guidance
The firmware is further wanted:
Determine that the instruction of the Malware exists from the mode of guidance failure;
Malware is started to diagnose to determine Malware diagnostic result;And
The Malware diagnostic result is sent to the BMC,
Wherein the BMC further sends the CMS for the Malware diagnostic result via the communication of the certification, and
And
Wherein the verifying of the log information is based further on the Malware diagnostic result.
12. a kind of non-transitory machinable medium of store instruction, if calculating the baseboard management controller of equipment
(BMC) described instruction is executed, then described instruction leads to the BMC:
At least one is provided with outer service for the calculating equipment;
The operating system executed on the central processing element of the separation of BMC described in Xiang Yu provides memory driver;
Monitoring serve as the memory driver of honey jar with based on the activity detected at the memory driver to determine
State calculate equipment on there are the instructions of Malware;And
In response to there is the instruction of the Malware, movement with high safety on said computing device.
13. non-transitory machinable medium as claimed in claim 12, wherein the memory driver is by described
BMC is supplied to the virtual drive of the operating system.
14. non-transitory machinable medium as claimed in claim 13, wherein the memory driver includes simulation
Master boot record data and other data.
15. non-transitory machinable medium as claimed in claim 14, wherein the Malware is soft including extorting
Part, and the activity that wherein detects on the memory driver is associated with mode and causes in the calculating equipment
There are the instructions for extorting software, wherein the mode includes the modification to the simulation master boot record data.
16. non-transitory machinable medium as claimed in claim 12, wherein the safe action includes passing through pass
The multiple interfaces for calculating equipment are closed the calculating equipment is isolated.
17. a kind of method, comprising:
At least one is provided with outer service by baseboard management controller (BMC) to calculate equipment,
Wherein the BMC is separated with central processing element, and the central processing element executes the operating system for calculating equipment;
Equipment is stored by the honey jar that BMC monitoring is supplied to the operating system, wherein honey jar storage equipment includes
Simulate master boot record and other data;
Based on the monitoring, determine that instruction is deposited in the presence of the activity pattern for extorting software on said computing device by the BMC
?;And
Indicate that the activity pattern for extorting software is present in the calculating equipment in response to determining, it is with high safety by the BMC
Movement.
18. method as claimed in claim 17, further comprises:
As the part of the safe action, the calculating equipment is isolated by the BMC.
19. method as claimed in claim 17, further comprises:
Day associated with the activity pattern is sent to center management system (CMS) via the communication of certification by the BMC
Will information,
Wherein, the part as the safe action promotes the BMC to the certification grade for needing the communication of the certification to meet
Other security level;
Determine that extorting software described in the log information instruction exists by the CMS;And
By the CMS start recovery process, the recovery process include restore it is described calculate equipment configuration setting and via
The virtual medium provided by the BMC installs new operating system on said computing device.
20. method as claimed in claim 17, wherein the mode includes the modification to the simulation master boot record data.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US15/817,638 | 2017-11-20 | ||
| US15/817,638 US10956575B2 (en) | 2017-11-20 | 2017-11-20 | Determine malware using firmware |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109815698A true CN109815698A (en) | 2019-05-28 |
| CN109815698B CN109815698B (en) | 2023-10-31 |
Family
ID=60972107
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810035877.2A Active CN109815698B (en) | 2017-11-20 | 2018-01-15 | Method and non-transitory machine-readable storage medium for performing security actions |
Country Status (3)
| Country | Link |
|---|---|
| US (1) | US10956575B2 (en) |
| EP (1) | EP3486824B1 (en) |
| CN (1) | CN109815698B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2021028740A1 (en) * | 2019-08-13 | 2021-02-18 | International Business Machines Corporation | Automatic ransomware detection with an on-demand file system lock down and automatic repair function |
| US11328064B2 (en) | 2019-08-13 | 2022-05-10 | International Business Machines Corporation | Automatic ransomware detection with an on-demand file system lock down and automatic repair function |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11575688B2 (en) * | 2018-05-02 | 2023-02-07 | Sri International | Method of malware characterization and prediction |
| US11055444B2 (en) * | 2018-06-20 | 2021-07-06 | NortonLifeLock Inc. | Systems and methods for controlling access to a peripheral device |
| US20210019421A1 (en) * | 2019-07-16 | 2021-01-21 | Hewlett Packard Enterprise Development Lp | Identifying a security vulnerability in a computer system |
| CN110795738B (en) * | 2019-09-19 | 2022-05-13 | 超聚变数字技术有限公司 | Computer starting method, controller, storage medium and system |
| US11652831B2 (en) | 2020-04-14 | 2023-05-16 | Hewlett Packard Enterprise Development Lp | Process health information to determine whether an anomaly occurred |
| US11811824B2 (en) * | 2020-06-08 | 2023-11-07 | Target Brands, Inc. | Security system for detecting malicious actor's observation |
| US11748478B2 (en) * | 2020-08-07 | 2023-09-05 | Softiron Limited | Current monitor for security |
| US11687431B2 (en) * | 2021-01-18 | 2023-06-27 | Dell Products L.P. | Determining changes to components of a computing device prior to booting to a primary environment of the computing device |
| US20220276876A1 (en) * | 2021-03-01 | 2022-09-01 | Softiron Limited | Remote Server Management Utilizing Self Contained Baseboard Management Controller |
| US11336685B1 (en) * | 2021-12-22 | 2022-05-17 | Nasuni Corporation | Cloud-native global file system with rapid ransomware recovery |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7725937B1 (en) * | 2004-02-09 | 2010-05-25 | Symantec Corporation | Capturing a security breach |
| US20140373151A1 (en) * | 2013-06-18 | 2014-12-18 | Dell Products, Lp | System and Method for Operating Malicious Marker Detection Software on Management Controller of Protected System |
| WO2016064433A1 (en) * | 2014-10-24 | 2016-04-28 | Mcafee, Inc. | Agent presence for self-healing |
| US20160217283A1 (en) * | 2015-01-26 | 2016-07-28 | Dell Products, Lp | Method for Logging Firmware Attack Event and System Therefor |
| US20160267275A1 (en) * | 2015-03-12 | 2016-09-15 | International Business Machines Corporation | Securely booting a computer from a user trusted device |
| CN106030512A (en) * | 2014-03-26 | 2016-10-12 | 英特尔公司 | Initialization trace of a computing device |
| CN106599694A (en) * | 2015-10-14 | 2017-04-26 | 广达电脑股份有限公司 | Security protection management methods, computer systems and computer-readable storage media |
| CN107025406A (en) * | 2016-02-01 | 2017-08-08 | 广达电脑股份有限公司 | Motherboard, computer readable storage means and firmware validation method |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1578082B1 (en) | 2004-03-16 | 2007-04-18 | AT&T Corp. | Method and apparatus for providing mobile honeypots |
| US8181250B2 (en) | 2008-06-30 | 2012-05-15 | Microsoft Corporation | Personalized honeypot for detecting information leaks and security breaches |
| US8935773B2 (en) | 2009-04-09 | 2015-01-13 | George Mason Research Foundation, Inc. | Malware detector |
| US9317690B2 (en) | 2011-03-28 | 2016-04-19 | Mcafee, Inc. | System and method for firmware based anti-malware security |
| US9473520B2 (en) | 2013-12-17 | 2016-10-18 | Verisign, Inc. | Systems and methods for incubating malware in a virtual organization |
| US10708290B2 (en) | 2016-01-18 | 2020-07-07 | Secureworks Corp. | System and method for prediction of future threat actions |
-
2017
- 2017-11-20 US US15/817,638 patent/US10956575B2/en active Active
-
2018
- 2018-01-15 CN CN201810035877.2A patent/CN109815698B/en active Active
- 2018-01-15 EP EP18151569.3A patent/EP3486824B1/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7725937B1 (en) * | 2004-02-09 | 2010-05-25 | Symantec Corporation | Capturing a security breach |
| US20140373151A1 (en) * | 2013-06-18 | 2014-12-18 | Dell Products, Lp | System and Method for Operating Malicious Marker Detection Software on Management Controller of Protected System |
| CN106030512A (en) * | 2014-03-26 | 2016-10-12 | 英特尔公司 | Initialization trace of a computing device |
| WO2016064433A1 (en) * | 2014-10-24 | 2016-04-28 | Mcafee, Inc. | Agent presence for self-healing |
| US20160217283A1 (en) * | 2015-01-26 | 2016-07-28 | Dell Products, Lp | Method for Logging Firmware Attack Event and System Therefor |
| US20160267275A1 (en) * | 2015-03-12 | 2016-09-15 | International Business Machines Corporation | Securely booting a computer from a user trusted device |
| CN106599694A (en) * | 2015-10-14 | 2017-04-26 | 广达电脑股份有限公司 | Security protection management methods, computer systems and computer-readable storage media |
| CN107025406A (en) * | 2016-02-01 | 2017-08-08 | 广达电脑股份有限公司 | Motherboard, computer readable storage means and firmware validation method |
Non-Patent Citations (1)
| Title |
|---|
| 苏振宇;: "基于国产BMC的服务器安全启动技术研究与实现", 信息安全研究, no. 09, pages 57 - 65 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2021028740A1 (en) * | 2019-08-13 | 2021-02-18 | International Business Machines Corporation | Automatic ransomware detection with an on-demand file system lock down and automatic repair function |
| US11328064B2 (en) | 2019-08-13 | 2022-05-10 | International Business Machines Corporation | Automatic ransomware detection with an on-demand file system lock down and automatic repair function |
| GB2601938A (en) * | 2019-08-13 | 2022-06-15 | Ibm | Automatic ransomware detection with an on-demand file system lock down and automatic repair function |
| GB2601938B (en) * | 2019-08-13 | 2022-12-21 | Ibm | Automatic ransomware detection with an on-demand file system lock down and automatic repair function |
| US11693963B2 (en) | 2019-08-13 | 2023-07-04 | International Business Machines Corporation | Automatic ransomware detection with an on-demand file system lock down and automatic repair function |
Also Published As
| Publication number | Publication date |
|---|---|
| US20190156039A1 (en) | 2019-05-23 |
| CN109815698B (en) | 2023-10-31 |
| US10956575B2 (en) | 2021-03-23 |
| EP3486824A1 (en) | 2019-05-22 |
| EP3486824B1 (en) | 2021-09-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109815698A (en) | Malware is determined using firmware | |
| US11176255B2 (en) | Securely booting a service processor and monitoring service processor integrity | |
| US11503030B2 (en) | Service processor and system with secure booting and monitoring of service processor integrity | |
| CN109918916B (en) | Dual-system trusted computing system and method | |
| US9087199B2 (en) | System and method for providing a secured operating system execution environment | |
| CN103299311B (en) | Methods and apparatus for trusted boot optimization | |
| CN102651061B (en) | System and method of protecting computing device from malicious objects using complex infection schemes | |
| CN102035651B (en) | Computer system and method with anti-malware | |
| KR101458780B1 (en) | Providing a multi-phase lockstep integrity reporting mechanism | |
| US9143509B2 (en) | Granular assessment of device state | |
| CN112840318A (en) | Automated operation management for computer systems | |
| Ho et al. | PREC: practical root exploit containment for android devices | |
| CN110321235B (en) | System interaction method and device of trusted computing platform based on dual-system architecture | |
| US11438349B2 (en) | Systems and methods for protecting devices from malware | |
| CN105468978A (en) | Trusted computing cryptogram platform suitable for general computation platform of electric system | |
| CN110334512B (en) | Static measurement method and device of trusted computing platform based on dual-system architecture | |
| CN105531692A (en) | Security policies for loading, linking, and executing native code by mobile applications running inside of virtual machines | |
| KR20100037016A (en) | Hardware-based anti-virus scan service | |
| CN110334521A (en) | Credible accounting system construction method, device, credible accounting system and processor | |
| CN110109710B (en) | Method and system for establishing OS (operating system) trust chain without physical root of trust | |
| CN110334522A (en) | Start the method and device of measurement | |
| US11750634B1 (en) | Threat detection model development for network-based systems | |
| KR20200041639A (en) | In-vehicle software update system and method for controlling the same | |
| CN110334509B (en) | Method and device for constructing trusted computing platform of dual-system architecture | |
| Cutler et al. | Trusted disk loading in the Emulab network testbed |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |